The topic of today's article is "STP attack and protection". STP has its pros and cons. Next, we will look at how you can take advantage of the features of STP to attack STP. Finally, let's talk about protecting STP from attacks.
We will not retell the Internet and understand the STP protocol, and let's get down to business right away.
STP attack
To attack and protect STP, you will need a stand.
This example shows a portion of the standard topology that is most commonly used in an enterprise segment. SW1 acts as a root bridge, SW2 and SW3 are non-root bridge switches. Ports SW1 0/0, 0/1 SW2 0 / 1.0 / 3 SW3 0 / 0.0 / 2 are used for traffic, 0/0 and 0/1 on SW2 and SW3 are blocked to avoid loops.
The traffic goes along the path SW2 - SW1 - SW3. After that, we connect our Linux machine to two access switches SW2 and SW3 and notice that we are receiving STP messages.
These messages mean that the STP protocol on the switches is running and is not blocked on the ports connected to us. Let's combine our interfaces in a bridge so that traffic goes through our device, launch the Yersinia framework and see that STP is available to us on both interfaces.
We start the attack and choose the Claiming Root Role attack type, which means that we will start advertising ourselves as a switch with a lower priority, which will force the STP tree to rebuild.
As expected, we became the root switch for our network segment and now we can see the traffic that previously went through SW1:
SW2-LINUX-SW3
Code:
SW1 # show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.0f00
Cost 300
Port 2 (Ethernet0 / 1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 8193 (priority 8192 sys-id-ext 1)
Address aabb.cc00.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- ------- -------------------------
Et0 / 0 Altn BLK 100 128.1 Shr
Et0 / 1 Root FWD 100 128.2 Shr
SW2
Code:
SW2 # show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.0f00
Cost 200
Port 3 (Ethernet0 / 2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.2000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- ------- -------------------------
Et0 / 0 Desg FWD 100 128.1 Shr
Et0 / 1 Desg FWD 100 128.2 Shr
Et0 / 2 Root FWD 100 128.3 Shr
Et0 / 3 Desg FWD 100 128.4 Shr
SW3 # show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.0f00
Cost 200
Port 4 (Ethernet0 / 3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.3000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- ------- -------------------------
Et0 / 0 Desg FWD 100 128.1 Shr
Et0 / 1 Altn BLK 100 128.2 Shr
Et0 / 2 Desg FWD 100 128.3 Shr
Et0 / 3 Root FWD 100 128.4 Shr
To check, let's run a ping:
Code:
R4 # ping 192.168.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.5, timeout is 2 seconds:
. !!!!
We can see that all ICMP packets have gone through our machine.
ICMP packets go through our computer
ICMP in this case is used solely for clarity, in this way you can intercept any traffic by changing the structure built by STP.
Next, we will look at other types of STP attacks that can be implemented using Yersinia.
Sending conf BPDU - we will send a BPDU once, which will force the switches in our L2 segment to rebuild the tree and return to the original scheme, since BPDUs are no longer sent from our machine.
Root-bridge sends a configuration BDPU with an interval of two seconds, which specifies the main parameters: for example, the priority of the current switch, its MAC, MAC interface from which the BPDU was sent, information about whether the FLUSH mechanism needs to be started to flush CAM tables. Since in this scenario we tried to impersonate the root bridge, we send the configuration BPDU with a priority equal to the priority of the current RB, but with a lower MAC.
The Sending TCN BPDU will force the root bridge to start the mechanism for clearing CAM tables from MAC addresses, traffic from which does not come for more than 15 seconds.
By default, the time that the MAC address is stored in the table is 300 seconds. When the state of the port changes (for example, UP / DOWN), the switch participating in STP must send a TCN (topology change notification) service frame towards the root bridge to notify it that a change has occurred in the network. The rest of the switches do not know which MAC addresses were behind this port of a particular switch, as a result of which the process of flush the CAM table starts. All addresses that have not been learned within 15 seconds will be deleted. This kind of attack allows us to increase the load on the network and the CPU of the switches. TCN is sent once.
Example of Resetting CAM Table Timer on Receiving TC BPDU
Code:
SW1 # show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.1000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 8193 (priority 8192 sys-id-ext 1)
Address aabb.cc00.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
After sending the TCN BPDU:
Code:
SW1 # show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.1000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 8193 (priority 8192 sys-id-ext 1)
Address aabb.cc00.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Sending conf BPDUs and Sending TCN BPDU's do all of the above, but in DoS format. That is, when sending configuration BPDU and topology change BPDU, the network starts to “storm”, the switch CPU is heavily loaded.
Counter of received BPDUs
Code:
SW2 # show spanning-tree interface ethernet 0/2 detail
Port 3 (Ethernet0 / 2) of VLAN0001 is designated forwarding
Port path cost 100, Port priority 128, Port Identifier 128.3.
Designated root has priority 8193, address aabb.cc00.1000
Designated bridge has priority 32769, address aabb.cc00.2000
Designated port id is 128.3, designated path cost 100 Hello is pending, Topology change is set
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
BPDU: sent 2330, received 6650463
Claiming root, other role and claiming root role with MITM are attacks similar to our example: by changing the priority or MAC, we can rebuild the current STP tree.
STP protection
The STP protocol contains mechanisms that allow you to suppress the emergence of new devices as a root bridge, block ports that received BPDUs, or enable full BPDU filtering.
In this article, we review the principles and commands used on Cisco equipment.
Code:
SW2 (config) #interface ethernet 0/2
SW2 (config-if) # spanning-tree guard root
Port state when receiving BPDU:
Code:
* Aug 1 13: 58: 03.304:% SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet0 / 2.
SW2 # show spanning-tree interface ethernet 0/2
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- ------- -------------------------
VLAN0001 Desg BKN * 100 128.3 Shr * ROOT_Inc
It is easy to guess that when using this function, an attack using the framework will not be available.
BPDU guard
Allows you to restrict the L2 domain. Upon receipt of any BPDU, the port is placed in the err disable BPDU guard error state.
Code:
SW2 (config) #interface ethernet 0/2
SW2 (config-if) # spanning-tree bpduguard enable
After receiving the BDPU on a port with BPDU guard function:
Code:
* Aug 1 15: 12: 50.120:% SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Et0 / 2 with BPDU Guard enabled. Disabling port.
SW2 #
* Aug 1 15: 12: 50.120:% PM-4-ERR_DISABLE: bpduguard error detected on Et0 / 2, putting Et0 / 2 in err-disable state
* Aug 1 15: 12: 51.120:% LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0 / 2, changed state to down
* Aug 1 15: 12: 52.120:% LINK-3-UPDOWN: Interface Ethernet0 / 2, changed state to down
SW2 # show interfaces ethernet 0/2
Ethernet0 / 2 is down, line protocol is down (err-disabled)
BPDU filter
BPDU filter does not send or receive BPDUs on the port. In other words, STP is disabled on this interface.
Code:
SW2 (config-if) # spanning-tree bpdufilter enable
It is easy to guess that when using these functions, attacks using the framework will not be available.
Conclusion
It is so easy, without resorting to complex schemes, to intercept traffic on the network. STP is a fairly simple protocol with no security feature by default. Many people neglect to install protective mechanisms in the L2 domain, which can lead to rather serious consequences. Since STP eliminates loops and does not force all traffic to go through RB, it is necessary to accurately determine the direction of traffic and the attack vector.
We will not retell the Internet and understand the STP protocol, and let's get down to business right away.
STP attack
To attack and protect STP, you will need a stand.
This example shows a portion of the standard topology that is most commonly used in an enterprise segment. SW1 acts as a root bridge, SW2 and SW3 are non-root bridge switches. Ports SW1 0/0, 0/1 SW2 0 / 1.0 / 3 SW3 0 / 0.0 / 2 are used for traffic, 0/0 and 0/1 on SW2 and SW3 are blocked to avoid loops.
The traffic goes along the path SW2 - SW1 - SW3. After that, we connect our Linux machine to two access switches SW2 and SW3 and notice that we are receiving STP messages.
These messages mean that the STP protocol on the switches is running and is not blocked on the ports connected to us. Let's combine our interfaces in a bridge so that traffic goes through our device, launch the Yersinia framework and see that STP is available to us on both interfaces.
We start the attack and choose the Claiming Root Role attack type, which means that we will start advertising ourselves as a switch with a lower priority, which will force the STP tree to rebuild.
As expected, we became the root switch for our network segment and now we can see the traffic that previously went through SW1:
SW2-LINUX-SW3
Code:
SW1 # show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.0f00
Cost 300
Port 2 (Ethernet0 / 1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 8193 (priority 8192 sys-id-ext 1)
Address aabb.cc00.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- ------- -------------------------
Et0 / 0 Altn BLK 100 128.1 Shr
Et0 / 1 Root FWD 100 128.2 Shr
SW2
Code:
SW2 # show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.0f00
Cost 200
Port 3 (Ethernet0 / 2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.2000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- ------- -------------------------
Et0 / 0 Desg FWD 100 128.1 Shr
Et0 / 1 Desg FWD 100 128.2 Shr
Et0 / 2 Root FWD 100 128.3 Shr
Et0 / 3 Desg FWD 100 128.4 Shr
SW3 # show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.0f00
Cost 200
Port 4 (Ethernet0 / 3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.3000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- ------- -------------------------
Et0 / 0 Desg FWD 100 128.1 Shr
Et0 / 1 Altn BLK 100 128.2 Shr
Et0 / 2 Desg FWD 100 128.3 Shr
Et0 / 3 Root FWD 100 128.4 Shr
To check, let's run a ping:
Code:
R4 # ping 192.168.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.5, timeout is 2 seconds:
. !!!!
We can see that all ICMP packets have gone through our machine.
ICMP packets go through our computer
ICMP in this case is used solely for clarity, in this way you can intercept any traffic by changing the structure built by STP.
Next, we will look at other types of STP attacks that can be implemented using Yersinia.
Sending conf BPDU - we will send a BPDU once, which will force the switches in our L2 segment to rebuild the tree and return to the original scheme, since BPDUs are no longer sent from our machine.
Root-bridge sends a configuration BDPU with an interval of two seconds, which specifies the main parameters: for example, the priority of the current switch, its MAC, MAC interface from which the BPDU was sent, information about whether the FLUSH mechanism needs to be started to flush CAM tables. Since in this scenario we tried to impersonate the root bridge, we send the configuration BPDU with a priority equal to the priority of the current RB, but with a lower MAC.
The Sending TCN BPDU will force the root bridge to start the mechanism for clearing CAM tables from MAC addresses, traffic from which does not come for more than 15 seconds.
By default, the time that the MAC address is stored in the table is 300 seconds. When the state of the port changes (for example, UP / DOWN), the switch participating in STP must send a TCN (topology change notification) service frame towards the root bridge to notify it that a change has occurred in the network. The rest of the switches do not know which MAC addresses were behind this port of a particular switch, as a result of which the process of flush the CAM table starts. All addresses that have not been learned within 15 seconds will be deleted. This kind of attack allows us to increase the load on the network and the CPU of the switches. TCN is sent once.
Example of Resetting CAM Table Timer on Receiving TC BPDU
Code:
SW1 # show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.1000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 8193 (priority 8192 sys-id-ext 1)
Address aabb.cc00.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
After sending the TCN BPDU:
Code:
SW1 # show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.1000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 8193 (priority 8192 sys-id-ext 1)
Address aabb.cc00.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Sending conf BPDUs and Sending TCN BPDU's do all of the above, but in DoS format. That is, when sending configuration BPDU and topology change BPDU, the network starts to “storm”, the switch CPU is heavily loaded.
Counter of received BPDUs
Code:
SW2 # show spanning-tree interface ethernet 0/2 detail
Port 3 (Ethernet0 / 2) of VLAN0001 is designated forwarding
Port path cost 100, Port priority 128, Port Identifier 128.3.
Designated root has priority 8193, address aabb.cc00.1000
Designated bridge has priority 32769, address aabb.cc00.2000
Designated port id is 128.3, designated path cost 100 Hello is pending, Topology change is set
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
BPDU: sent 2330, received 6650463
Claiming root, other role and claiming root role with MITM are attacks similar to our example: by changing the priority or MAC, we can rebuild the current STP tree.
STP protection
The STP protocol contains mechanisms that allow you to suppress the emergence of new devices as a root bridge, block ports that received BPDUs, or enable full BPDU filtering.
In this article, we review the principles and commands used on Cisco equipment.
Root guard
Upon receiving a better BPDU than the current one, the interface receiving this BPDU will be put into root-inconsistent mode.Code:
SW2 (config) #interface ethernet 0/2
SW2 (config-if) # spanning-tree guard root
Port state when receiving BPDU:
Code:
* Aug 1 13: 58: 03.304:% SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet0 / 2.
SW2 # show spanning-tree interface ethernet 0/2
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- ------- -------------------------
VLAN0001 Desg BKN * 100 128.3 Shr * ROOT_Inc
It is easy to guess that when using this function, an attack using the framework will not be available.
BPDU guard
Allows you to restrict the L2 domain. Upon receipt of any BPDU, the port is placed in the err disable BPDU guard error state.
Code:
SW2 (config) #interface ethernet 0/2
SW2 (config-if) # spanning-tree bpduguard enable
After receiving the BDPU on a port with BPDU guard function:
Code:
* Aug 1 15: 12: 50.120:% SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Et0 / 2 with BPDU Guard enabled. Disabling port.
SW2 #
* Aug 1 15: 12: 50.120:% PM-4-ERR_DISABLE: bpduguard error detected on Et0 / 2, putting Et0 / 2 in err-disable state
* Aug 1 15: 12: 51.120:% LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0 / 2, changed state to down
* Aug 1 15: 12: 52.120:% LINK-3-UPDOWN: Interface Ethernet0 / 2, changed state to down
SW2 # show interfaces ethernet 0/2
Ethernet0 / 2 is down, line protocol is down (err-disabled)
BPDU filter
BPDU filter does not send or receive BPDUs on the port. In other words, STP is disabled on this interface.
Code:
SW2 (config-if) # spanning-tree bpdufilter enable
It is easy to guess that when using these functions, attacks using the framework will not be available.
Conclusion
It is so easy, without resorting to complex schemes, to intercept traffic on the network. STP is a fairly simple protocol with no security feature by default. Many people neglect to install protective mechanisms in the L2 domain, which can lead to rather serious consequences. Since STP eliminates loops and does not force all traffic to go through RB, it is necessary to accurately determine the direction of traffic and the attack vector.